CRISC Certified in Risk and Information
Systems Control Question and Answers
The goal of confidentiality is to - ✅ keep information systems and data from being
accessed by people who do not have the authorization, need-to-know, or security
clearance to access that information
Confidentiality can be achieved through - ✅ security protection mechanisms
such as rights, privileges, permissions, encryption, authentication, and other access
controls
the opposite of confidentiality - ✅ unauthorized disclosure
Integrity is - ✅ characteristic of data that means the data has not been subject to
unauthorized modification or alteration
Integrity is achieved - ✅ using checksums, message digests, and other verification
methods
opposite of integrity - ✅ Data alteration
Data modification or alteration can happen - ✅ accidentally, such as when it may be
inadvertently changed because of human error or faulty transmission media. It can also
happen intentionally (which is usually malicious in nature when this modification is
unauthorized) by direct interaction with data during storage or transmission, such as
during an attack
opposite of availability - ✅ data destruction or denial of service
security control is - ✅ measure or protection applied to data, systems, people, facilities,
and other resources to protect them from adverse events
Access controls directly support - ✅ confidentiality and integrity goals of security
Access controls indirectly support - ✅ goal of availability
An access control essentially means - ✅ proactively ensure that only authorized
personnel are able to access data or the information systems that process that data
several different types of access controls - ✅ identification and authentication methods,
encryption, object permissions
, Administrative controls are - ✅ implemented as policies, procedures, rules and
regulations, and other types of directives or governance
Technical controls are - ✅ firewalls, proxy servers, virtual private network (VPN)
concentrators, encryption techniques, file and folder permissions, and so on
Physical controls are - ✅ those used to protect people, equipment, and facilities.
Examples of physical controls include fences, closed-circuit television cameras, guards,
gates, and restricted areas
you can also classify access controls in terms of their functions - ✅ preventative
controls, detective controls, corrective or remedial controls, deterrent controls, and
compensating controls
The term asset can be applied to - ✅ data, systems, capabilities, people, equipment,
facilities, processes, proprietary methods, and so on; it is anything the organization
values and desires to protect
Data (or other asset) sensitivity refers - ✅ how much protection the organization feels a
particular system or piece of data requires, based upon its value to the organization and
the impact if it were lost, stolen, or destroyed
Another word for sensitivity level? - ✅ classification level
data sensitivity is driven by - ✅ value of the data to the organization and by the impact if
it is lost, stolen, or destroyed
data sensitivity is balanced by - ✅ the commitment of resources the organization is
willing to provide to protect that data
Data sensitivity and classification policies specify - ✅ different formal levels of
sensitivity in the organization and what those levels require in terms of protection
Identification refers to - ✅ act of an individual or entity presenting valid credentials to a
security system in order to assert that they are a specific entity
Authentication is - ✅ second part of that process, where your identity is verified with a
centralized database containing your authentication credentials
methods of identification and authentication - ✅ something you know (knowledge
factor)
something you have (possession factor)
something you are (biometric or inherence factor)
Authorization is - ✅ what happens once you've successfully identified yourself and been
authenticated to the network
Systems Control Question and Answers
The goal of confidentiality is to - ✅ keep information systems and data from being
accessed by people who do not have the authorization, need-to-know, or security
clearance to access that information
Confidentiality can be achieved through - ✅ security protection mechanisms
such as rights, privileges, permissions, encryption, authentication, and other access
controls
the opposite of confidentiality - ✅ unauthorized disclosure
Integrity is - ✅ characteristic of data that means the data has not been subject to
unauthorized modification or alteration
Integrity is achieved - ✅ using checksums, message digests, and other verification
methods
opposite of integrity - ✅ Data alteration
Data modification or alteration can happen - ✅ accidentally, such as when it may be
inadvertently changed because of human error or faulty transmission media. It can also
happen intentionally (which is usually malicious in nature when this modification is
unauthorized) by direct interaction with data during storage or transmission, such as
during an attack
opposite of availability - ✅ data destruction or denial of service
security control is - ✅ measure or protection applied to data, systems, people, facilities,
and other resources to protect them from adverse events
Access controls directly support - ✅ confidentiality and integrity goals of security
Access controls indirectly support - ✅ goal of availability
An access control essentially means - ✅ proactively ensure that only authorized
personnel are able to access data or the information systems that process that data
several different types of access controls - ✅ identification and authentication methods,
encryption, object permissions
, Administrative controls are - ✅ implemented as policies, procedures, rules and
regulations, and other types of directives or governance
Technical controls are - ✅ firewalls, proxy servers, virtual private network (VPN)
concentrators, encryption techniques, file and folder permissions, and so on
Physical controls are - ✅ those used to protect people, equipment, and facilities.
Examples of physical controls include fences, closed-circuit television cameras, guards,
gates, and restricted areas
you can also classify access controls in terms of their functions - ✅ preventative
controls, detective controls, corrective or remedial controls, deterrent controls, and
compensating controls
The term asset can be applied to - ✅ data, systems, capabilities, people, equipment,
facilities, processes, proprietary methods, and so on; it is anything the organization
values and desires to protect
Data (or other asset) sensitivity refers - ✅ how much protection the organization feels a
particular system or piece of data requires, based upon its value to the organization and
the impact if it were lost, stolen, or destroyed
Another word for sensitivity level? - ✅ classification level
data sensitivity is driven by - ✅ value of the data to the organization and by the impact if
it is lost, stolen, or destroyed
data sensitivity is balanced by - ✅ the commitment of resources the organization is
willing to provide to protect that data
Data sensitivity and classification policies specify - ✅ different formal levels of
sensitivity in the organization and what those levels require in terms of protection
Identification refers to - ✅ act of an individual or entity presenting valid credentials to a
security system in order to assert that they are a specific entity
Authentication is - ✅ second part of that process, where your identity is verified with a
centralized database containing your authentication credentials
methods of identification and authentication - ✅ something you know (knowledge
factor)
something you have (possession factor)
something you are (biometric or inherence factor)
Authorization is - ✅ what happens once you've successfully identified yourself and been
authenticated to the network
